Skip to main content

HIPAA Mandate: Maintaining Business Continuity During Downtime

HIPAA’s “Security Guidelines” mandate that all healthcare organizations using healthcare data comply with its data security and integrity standards, and the penalties and fines for noncompliance are substantial. A contingency plan for disaster recovery and business continuity is a key standard stipulated in the HIPAA Security Rules under the Administrative Safeguards Section, so you clearly need to have such a plan in place.

The contingency plan should address data availability and the risks a business disruption poses to that availability. The goal is to ensure that staff can continue to provide patient care in spite of the disruption. The contingency plan should also outline strategies to ensure the recovery of networking systems, data and operations and the ability of the hospital to resume its normal functions in the event of a crisis, disaster or disruption.

Why Do Hospitals Need to Ensure Downtime Business Continuity?

Take the case of Sutter Health System. In August 2013, the 24-hospital Sutter Health System in Northern California reported that a software glitch with its $1 billion electronic health record system made it inaccessible to clinical staff. According to reports, the system outages across the hospitals lasted a full day.

Mike Hill, an RN at Sutter’s Alta Bates Summit Medical Center and a California Nurses Association representative for the hospital explained the situation: “Many of the families became concerned because they noticed the patients were not getting their medications throughout the day,” he said. “Meds were not given for the entire day for many of the patients.”

There’s also the case of Fiona Stanley Hospital. In February 2015, doctors, nurses and administrators at Fiona Stanley Hospital, Australia’s most technologically advanced hospital, had to revert to “downtime procedures” when WA Health’s computer systems crashed for more than 14 hours during an outage caused by lightning storms.

According to the local health department, the crash resulted in the loss of clinical and non-clinical computer applications and the IT network, including email, forcing the staff to use pens and paper and then enter patient data once the system came back online.

While the hospital had downtime procedures and business continuity plans in place to ensure patient safety, the staff still had to resort to manual processes, and later take the time to enter patient updates to the system, significantly reducing their productivity and responsiveness to patients.

How Are Your Clinicians Accessing Data During a Downtime?

Typically, when technology is not working, we have to revert to manual processes to get things done. It’s the same whenever a healthcare information system goes down — clinicians have to record patient information on paper. To prepare for a downtime, hospitals need to daily print reams of critical patient records that they will need during a downtime. Both tasks are time consuming. Printing records in particular can take a couple hours per day.

However, even if patient records have been printed out, getting access can still be a challenge. The paper may have been printed in the computer room and be inaccessible to many of the users. A major issue is how difficult it is to find the information in printed copies, as there are typically multiple reams of paper printed.

Most importantly, even organizations that have backed up power, parallel systems and redundant solutions for providing system data cannot ensure that it is the most recent data.

Steps to Ensure Uninterrupted Data Access and Business Continuity

Given all the possible issues and challenges presented above, one can see that having a contingency plan for business continuity is a good practice for healthcare organizations. Hospitals are a cornerstone of a community, so it is incumbent that they remain open and fully operational through any disaster, outage, etc.

To prepare for any downtime, you need to determine your Recovery Time Objective (RTO) and Recovery Point Objective (RPO). RTO refers to how long your organization can survive without this critical business function. Is it just the current day, until tomorrow or until next week? Also, what resources are needed to ensure the restoration of the function within the RTO?

RPO refers to data-reliant processes and how current your data needs to be once systems are restored. Is it last night’s backup, or the last action taken? And, if you have a manual backup system, how long is it feasible to run the manual backup before restoration is impossible?

Are You Ready for The Next Downtime?

You may have complete downtime policies and procedures in place, but do you have a system that can automatically respond to an unexpected downtime and keep your organization fully functional until normal operations resume? Do you have a system that can provide your staff with access to the most up-to-date patient information to ensure patient safety?

To learn more about how you can ready for your next downtime, signup to get our whitepaper, “Healthcare Business Continuance: Implementing Procedures to Address Critical System Downtimes.”

Arthur Young

Arthur Young is a visionary healthcare information systems entrepreneur who has focused Interbit Data’s offerings on providing secure and reliable methods of connecting users with HCIS information. Prior to founding Medical Systems Solutions (the precursor to Interbit Data) in 1997, Arthur spent 10 years with MEDITECH and three years at JJWild.